diff options
author | Nicolas Williams <nico@cryptonector.com> | 2011-11-10 15:39:13 -0600 |
---|---|---|
committer | Nicolas Williams <nico@cryptonector.com> | 2011-11-10 15:39:13 -0600 |
commit | 9381adb08c99206bb4a4ccb75e9fb5a8c67d42e4 (patch) | |
tree | 3b45ad20306d177a1d8c7c46c2f9f145ef8c53f5 | |
parent | e0c275cc057ec4cbbb59a182751a3ed61a2e7d9c (diff) | |
download | gss-proxy-9381adb08c99206bb4a4ccb75e9fb5a8c67d42e4.tar.gz gss-proxy-9381adb08c99206bb4a4ccb75e9fb5a8c67d42e4.tar.xz gss-proxy-9381adb08c99206bb4a4ccb75e9fb5a8c67d42e4.zip |
Added some notes regarding when to proxy, when not, how to tell
-rw-r--r-- | NOTES | 30 |
1 files changed, 30 insertions, 0 deletions
@@ -0,0 +1,30 @@ + + - How to handle mixed proxied and non-proxied credentials for one + process? + + Idea #0: Always use the proxy or no proxy. Period. Use an env var to + select mechglue config. + + Idea #1: Some mechglue magic and minor constraints on the applications. + + - mechglue needs to allow multiple providers to provide same + mechanisms, with GSS_Acquire/Add_cred*() trying all providers for + the desired mechanism(s) in order till one works or all fail; + + - this does not work for GSS_Init/Accept_sec_context() when using + the default credential; + + - for GSS_Init_sec_context() just pick one provider to be first + for default credential and let apps that want the other + provider acquire a credential handle instead of using the + default one (e.g., ssh -o GSSAPIInitiatorCredential=...); + + - for GSS_Accept_sec_context() declare that all acceptor + credentials for any given mechanism must be proxied or not; + + Idea #2: Use PGSS or GSS-APIv3 so we can have a caller context handle + via which to specify mechglue configuration. + + - SPNEGO (any pseudo-mechanism) should not be proxied, as it will + re-enter the mechglue and call the proxy(ies) if needed (or not) as + appropriate. |